Why is Malwarebytes blocking CoinHive?
Credit to Author: Adam Kujawa| Date: Wed, 18 Oct 2017 15:00:25 +0000
If you’ve encountered a Malwarebytes web protection block for coinhive.com over the last few weeks, you are either glad about it, angry about it, or don’t really care. Since September 19, the second most frequently blocked website for our customers has been coinhive.com, and when we observe that immense amount of blocking (over 130 million blocks in a few weeks), we try to explain why we are doing what we are doing.
This post will describe what CoinHive is, what it is doing, and why we are blocking it. We’ll even tell you how to exclude this from your instance of Malwarebytes, if you decide to do so.
What is Cryptocurrency mining?
Do you remember when Bitcoin first came out? It was under the radar for a while—mainly hobbyists and folks involved in the development of the cryptocurrency platform paid attention to it. After a few years, Bitcoin (BTC) has become more and more popular, leading to the emergence of an army of Bitcoin miners. Miner is a term used to primarily describe software or hardware (and those that use it) created and utilized for the sole purpose of crunching numbers for the cryptocurrency and in return being given a small share of the currency.
A lot of people got involved in BTC mining, which resulted in a bit of a mixed bag of technologies being created and distributed, and in some cases forced to install. Sometimes, a person with the intent and means can run dedicated BTC miners and collect their small fractions of currency until they get a decent amount and then exchange the coins for goods, services, or government-backed money (USD/GBP/etc.).
Cryptocurrency miners are usually VERY resource intensive. This is because you are asking your system to do immense calculations it probably wasn’t designed to do, quickly, which is fine if you’ve got the hardware for it. But if you are running a 10-year-old system you bought off the shelf, it could not only decrease the speed and efficiency of your system, but even damage the hardware.
Miner running on system while visiting The Pirate Bay. Notice the 100% CPU Usage
Over the years, we’ve observed miners also included with sketchy software and malware, as a means to make more money for the people behind this kind of garbage software. Over the years, Bitcoin exchange rates have skyrocketed and the amount of money that can be earned by mining BTC is incredibly low (because of how many people are also running these miners). In lieu of this, new cryptocurrencies have popped up.
Here is a list of the most popular cryptocurrencies back in July 2017, according to an article on Mashable:
- Bitcoin
- Ethereum
- Litecoin
- ZCash/Monero
- Tezos
These are the most popular, and therefore the most valuable, because there has been heavy investment in their growth. It is no surprise then that more than one of these cryptocurrencies have had miners put in places they didn’t belong.
What is CoinHive?
CoinHive is a service that provides cryptocurrency miners you can deploy on your website using JavaScript. The coin of this particular realm is Monero (mentioned above), and it totes the claim that using JavaScript miners is an alternative to advertising revenue.
It offers API access for website owners to deploy a miner on their site, have it communicate with the CoinHive remote server and, unfortunately, allow the miners to be run on user systems, without user permission.
Why are we blocking it?
We do not claim that CoinHive is malicious, or even necessarily a bad idea. The concept of allowing folks to opt-in for an alternative to advertising, which has been plagued by everything from fake news to malvertising, is a noble one. The execution of it is another story.
The reason we block CoinHive is because there are site owners who do not ask for their users’ permission to start running CPU-gorging applications on their systems. A regular Bitcoin miner could be incredibly simple or a powerhouse, depending on how much computing the user running the miner wants to use. The JavaScript version of a miner allows customization of how much mining to do, per user system, but leaves that up to the site owner, who may want to slow down your computer experience to a crawl.
Another torrent site running a Monero miner in the background, once again 100 percent CPU usage for visiting a website
Either way, for those that know about cryptocurrency miners and especially JavaScript versions of them, this may be a technology you want to see more of. If so, we include instructions on how to add an exception for CoinHive. However, for those that do not know about this kind of technology, its purpose, or what it could do to their system, we are not comfortable allowing greedy website owners to abuse these users and so, we block it.
How to add an exception
At Malwarebytes, we want to arm our users with knowledge about threats and the tools to protect themselves from those threats. However, we are not in the business of censoring or restricting access to a thing people want to use. For cases like CoinHive, it’s kind of a gray area, so in addition to telling you why we block this site and the danger associated with it, we will also tell you exactly how to get around our block.
Step 1: exclusion tab
Inside of Malwarebytes for Windows in the Settings area, is a tab for exclusions. You can navigate there manually or, after trying to reach coinhive.com, you can just click on the Managed Exceptions button at the bottom of the notification.
Step 2: select exclusion type
Your next step would be to select what kind of exclusion you want to make. You’ll be able to allow anything from applications, website, and even exploits! Select the Website Block radio button and press Next.
Step 3: add exclusion
Finally, Malwarebytes will ask you what is the Website URL or IP address for the site you want to exclude. For CoinHive, you’ll need to exclude the website, as well as the IP address associated.
Step 4: rinse and repeat
As I mentioned, you’ll need to add an exclusion for both the CoinHive URL and the IP address associated with its domain name. So please add exclusions for the following:
- coinhive.com
- 94.130.90.152
After you complete adding the exclusions, your exclusion list in the Malwarebytes interface should look like this:
Step 5: testing
Your final step is to actually navigate to coinhive.com and make sure it’s not being blocked. If it is, go back in and check the settings to make sure you entered the URL and the IP address correctly. I tested this myself and it works. If you’ve done everything correctly, you should be able to navigate to the CoinHive website and also use the miners, even with full Malwarebytes protection enabled.
For more information about adding exclusions to your instance of Malwarebytes for Windows, please check out this Knowledge Base article we’ve written that guides you through every type of exclusion.
We hope some of you who are upset about our detection will understand why we decided to block this and similar websites after reading this article. We know there is a lot of controversy over not only this case, but mining technology in general, and moving forward we need to make sure we use it responsibly and securely. All new technologies have growing pains. The key is to make sure to learn lessons from the past, ensure that technology is secure and that the spirit of why it was created in the first place continues on in new evolutions.
We watched as the advertising industry evolved in such a way that made it easy for cybercriminals to use their platforms to attack users. We really don’t want to see miners go down the same path, and we hope it isn’t too late already.
Thanks for reading, safe surfing, and catch you next time!
The post Why is Malwarebytes blocking CoinHive? appeared first on Malwarebytes Labs.